Implementing Electronic Signature Ann Geyer Tunitas Group 209-754-9130 ageyer@tunitas.com Bill Pankey bpankey@tunitas.com
Electronic Signature Defined in law Federal ESIGN Legislation State versions as allowed by ESIGN Implemented thru a variety of technologies signature by computer code entry signatures captured electronically or digitized signatures signature dynamics biometric signatures digital signatures
esignature implemented as expediency, but Must consider critical role of signature in ensuring Patient Consent Authority for medication and other orders Data authenticity (medical records) Execution of business agreements Impacting Compliance (state law, criminal statue, payer COP) Liability defense Patient & Practitioner satisfaction Enforceability of business agreements Stakes are high Major source of Type I JCAHO advisory Potential for Significant Penalties Litigation
Case on point, Magee-Womens Hospital 300 bed tertiary care facility affiliated with the University of Pittsburg Medical Center Implemented electronic signature for its lab systems Routinely affixed pathologists electronic signature to reports Lawsuit initiated by several pathologists repudiating signature placed on negative pap smears Pathologists claimed they never reviewed results purportedly certified by them Allegations of fraud and improper diagnosis Class action suit by patients Seek new testing of all women who had pap smears reviewed by Magee-Womens between 1995 and 2001
What Magee Womens is now learning Critical role of policy Magee-Womens P&P did not ensure clear distinction between Attestation of physicians Technician action that merely implied oversight by physician Review and certification of electronic signature implementations Sensitivity of practitioners to institutional use of their signature Magee-Womens discounted practitioner s interests Liability and reputation issues Wide ranging ramifications of faulty esignature use Authenticity of all, not just the disputed, records comes into question Damage to reputation from very public dispute Increased scrutiny by state & payers sure to follow
The end result of poor esig design.
Session Objectives Instill greater confidence in the appropriateness of electronic signature Changing legal and regulatory environment Provide a framework for evaluating esig technology options Ensure an appropriate level of control Maximize return on investment Anticipate the business issues
Agenda Why electronic signature? Where can electronic signatures be used? Regulatory and legal analysis How electronic signatures can best be created and maintained? Signature related risks and mitigation Precursors to Implementation Electronic signature technology Speculating about the HIPAA esig Rule Case Studies Business Case Planning
Agenda Why use electronic signatures? Where can electronic signatures be used? Regulatory and legal analysis How electronic signatures can best be created and maintained? Signature related risks and mitigation Precursors to Implementation Technology of electronic signature Speculating about HIPAA Case Studies Business Case Planning
Why Implement Electronic Signature? Healthcare esig value propositions Improved compliance with state & federal regulation Necessary component of CPOE applications? More efficient workflow Greater transaction completion Reduced document cost
Compliance Many signature acts are mandated by state or federal healthcare regulation such as: State specific Medical practice acts Health and Safety Code, especially as pertains hospital licensing Insurance Code DEA rules for prescription of controlled substances FDA rules for trials, suppliers, and equipment CMS Patient Health Record rules (for Medicare reimbursement) Multiple methods for assessing compliance JCAHO Whistleblowers and complaints Regulator audit
Why Compliance is Challenging Often, regulations require signature of persons who are not under the control of the regulated organization Practitioners and consumers Practitioners consider many of the requirements as inconveniences with little or no impact on care or with minimal financial impact to practitioner Full compliance means chasing signatures -- physically bringing the paper record to the signer for signature Multiple FTE dedicated to single task of signature acquisition Coercive approaches generally ineffective except perhaps for residents Consumers don t see the benefit of signing acknowledgements and agents don t want to retard the purchase process
esig Compliance Benefit esig provide more opportunities for compliance Allows practitioners & consumers to sign at time and location of their convenience Reduces the signer s burden for document return -- reduces dependency on fax, mail or courier Advantage currently may be limited To a subset of practitioners, members, other signer types; or a subset of documents, forms, or transactions Subset will expand in keeping with the growth of electronic business processes, Internet applications and similar trends Some HCO already successful in eliminating handwritten signature options for certain healthcare activities Typically has required a paperless mandate
Signature and Workflow Signature acquisition is a single aspect of some business process Often gates future action, i.e. can t proceed until signature is acquired For example, where the signature is an authorization or signoff on discharge summary Non-electronic workflow sequences Resist electronic management controls: reporting, routing... Where is the paper vs Where is the electronic record? Are fragile due to potential for lost, misdirected or misfiled records Include some additional steps to support conversion to and from paper formats
esig Workflow Benefit Process efficiencies Complete work faster Eliminate or reduce duplicate signature procedures Displace signature acquisition costs Enable integrated record keeping Record, transmit and track signed documents easier Provide greater user and staff convenience
Online ehealth Transactions Transaction completion Transactions initiated online often have lower completion rates whenever the process must stop for an out of band activity Consumer loses interest, fails to complete activity Necessary information fails to arrive esig allows online, uninterrupted transaction completion Reduces failure rate Reduces completion time Reduces management cost Caveat Special rules apply to electronic signature for some consumer transactions e.g. dis-enrollment from health plan e.g. need a pre-agreement to conduct some transactions electronically
Reduced document cost Electronic signature may obviate last requirements for paper Displace costs associated retention of physical paper records Paper Printing, reproduction, shipping Filing
esig Overview ~ Basic Questions Why electronic signature? Where can electronic signatures be used? Regulatory and legal analysis How electronic signatures can best be created and maintained? Signature related risks and mitigation Precursors to Implementation Technology of electronic signature Speculating about HIPAA Case Studies Business Case Planning
Nothing new about Electronic Signature? Unless precluded by statue, an electronic signature should have presumption of validity The traditional signature concept includes. any mark made on a document and intended to serve as an indication of the party's execution or authentication of the document and intent to be bound by it ~ Martindale-Hubbell Law Directory The signature concept easily supports the idea that electronic marks can be signatures
Caveat... many sources of bias against electronic signature Wet signature laws and regulations require handwritten signatures and retention of original paper records E.g., DEA rules require examination of original signature on prescription before dispensing narcotic Blue ink regulations over form and method of signature State prescription laws State medical records regulation Payer rules Medicare Certifications of Medical Necessity Statutes of fraud that require tangible evidence of contract limiting enforceability to written contracts Especially as pertains real estate contracts Wills and testamentary trusts
E-SIGN Preemption Electronic Signatures in Global and National Commerce Act (E-SIGN) -- US Public Law 106-229 An electronic signature is any electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record E-SIGN preempts contrary state law or federal regulation A signature may not be denied legal effect, validity or enforceability solely because it is in electronic form
E-SIGN Mandate to States & Federal Regulators E-SIGN requires Regulators to rewrite rules to allow for electronic signature and electronic record retention Agencies may set performance standards for covered transactions to ensure Availability and integrity of retained transaction records Authenticity of signature Rule-making Restrictions Requires substantial justification to proceed Must be essentially equivalent to rules applying to nonelectronic transactions and may not re-impose any paper requirement Must be reasonable in implementation cost Must be technology neutral
E-SIGN Mandate Agencies may require specific technology, only if the use Serves a substantial government objective Is substantially related to that objective Even then, may not require specific hardware or software E-SIGN requires states / agencies to promulgate revised rules by June 1, 2001 Few agencies have explicitly complied In absence of a rule revision OMB Guidance on Implementing E-SIGN -- covered parties are free to retain records in electronic form of their choosing Know your regulator!!!
Removing Vestiges of Wet Signature Laws Most states have adopted Uniform Electronic Transactions Act (UETA) others have electronic signature law predating UETA and with specific provisions regarding digital signature (eg WA, IL, UT) Implements ESIGN at a State level Generally rescinds regulation requiring handwritten signatures Gives autonomy to parties to a transaction to determine method of implementing electronic signature Provides guidance (to courts) for resolution of esig disputes e.g. establishes responsibilities to mitigate errors Most rules have not been rewritten, but should be interpreted in context of UETA or non-preempted portions of state (Illinois) esig law Know your regulator!!! Agency may have specified a performance standard Agency may have idiosyncratic preemption analysis e.g. DEA view that prescription of narcotic are not in or affecting interstate commerce
Federal Paperwork Elimination Mandate E-SIGN addresses rules for transactions to which a state or federal agency is not a party Government Paperwork Elimination Act (GPEA) Title VII of Public Law 105-277 affects transactions to which a federal agency is a party Requires that agencies must support electronic submission of any form it now receives >50,000 filings per year e.g. Medicare Certificates of Medical Necessity Forms for portable oxygen, dialysis patients that require physician's blue ink signature Required to implement multiple electronic methods Compliance date, October 2003 Agency cannot mandate electronic submission Conflict with law extending HIPAA, re electronic filing for Medicare billing.
Summary Generally can use electronic signatures anywhere Statutes requiring handwritten signatures are explicitly satisfied by esig, but Regulators & legislators are slow to update rules; some antiquated rules still remain -- DEA & CMS States may have own electronic signature law whose objectives are generally consistent with E-SIGN Future esig regulations must be technology neutral Can only require specific technology if doing so serves a compelling government interest. Some state regulation at risk Consumer applications require special design consideration Consumer protection concerns
esig Overview ~ Basic Questions Why electronic signature? Where can electronic signatures be used? Regulatory and legal analysis How electronic signatures can best be created and maintained? Signature related risks and mitigation Precursors to Implementation Technology of electronic signature Speculating about HIPAA Case Studies Business Case Planning
Technology Requirements Functional requirements derived from: esignature definition Identify signer Recognize and Record signer s intent Applicable Regulatory mandate State medical records, prescription law Important Non-functional requirements are derived from need to anticipate any future dispute over signature validity *Assumption* that signature will never be disputed, implies that there is no need for signature Signature should be part of security apparatus designed to cost effectively minimize risk
Two Significant Risks Signature Intent No signature Intent Successful assertion OK RISK (false assertion) Successful repudiation RISK (false repudiation) OK Effective electronic signature implementation will minimize the consequences associated with: False Assertion Attributes an electronic signature where there was not a valid one False Repudiation Signer successfully denies responsibility for his / her signature act Effort to prevent any repudiation may be misdirected Analysis of failure conditions provides basis for implementation decisions Consequence of signature only recognizable where authenticity is disputed
Scenarios ~ False Assertion Hospital organization improperly attributes an electronic medication order to a named practitioner Patient safety issues Practitioner dissatisfaction Health plan accepts forged signature on certificate of medical necessity for durable medical equipment Financial loss due fraud Hospital incorporates into medical record unsigned clinical notes as if they were signed Potential prejudicial impact to patient. Especially when notes not intended to be disclosed as part of legal record
Risk - False Assertion Usually due to failure of operational controls Where operational control over the esig mechanism fails Prevent impersonation of the purported signer, or Prevent record modification after signing also, poor UI design may mistake signer intent Consequences Are not immediately apparent to party relying on signature May be limited to the impacted transaction Can the transaction be revoked? at what cost? If not revocable, what is the recovery cost? Expected loss calculation L = min[c(r),c(t)] * [p(i) + p(m) - p(i)*p(m)] where c(r)= cost of recovery, c(t) = value of transaction; p(i) = likelihood of impersonation; p(m) = likelihood of modification
Scenarios ~ False Repudiation Clinician successfully denies responsibility for an order / medication dispensed under the Clinician s authority Creates inappropriate distrust in EOE and MARS New liability exposure Patient successfully denies authorizing PHI disclosure Privacy complaint and OCR sanction Employee / affiliated practitioner denies formal acceptance of user agreement / COP Reduced ability to apply sanctions / enforce policy
Risk - False Repudiation Usually due to a design failure Where the esig mechanism does collect suffcient Collect sufficient evidence to successfully dispute the repudiation Consequences Extend beyond the disputed transaction provides precedent for repudiation of other transactions Significant organizational impact if the healthcare organization challenges repudiation of its practitioners Expected loss calculation L = (min((c(lit) +.2*(c(J)),c(S))*P(D) where: c(lit) = litigation cost, c(j) = judgement requested; c(s) = anticipated settlement; p(d) - probability of dispute
esig Overview ~ Basic Questions Why electronic signature? Where can electronic signatures be used? Regulatory and legal analysis How electronic signatures can best be created and maintained? Signature related risks and mitigation Precursors to Implementation Technology of electronic signature Speculating about HIPAA Case Studies Business Case Planning
esig is not just technology Business / legal / user context critical Do persons recognize that the particular esig action will have legal consequence? Mouse clicks do not carry the gravitas of handwritten signature Demonstration of person s intent is critical to the assertion of a particular electronic signature When user clicked ok, did he really intend to wipe his hard drive?
Electronic Signature Policy Binds use of technology to business agreements and standard practices of organization Establishes esignature business rules Fixes responsibility for operational control over esignature mechanism, retained records, etc Should be a formal policy document In medical context, should include procedures to collect practitioners explicit acceptance of signature mechanism with an intent to be bound by its use Regulatory requirement for some applications State medical records law Per FDA CFR 21 Part 11, implementer must assert intention to treat esig mechanism as equivalent to legally binding handwritten signature
Sample Policy Statements
RFC 3125 Electronic Signature Policy Useful where persons relying upon signature is different from party maintaining electronic signature application E.g., hospital collecting physician signature on health plan required certification of medical necessity Health plan may or may not accept hospital s esig scheme Policy frameworks provide a basis for negotiation of technology requirements Basis for automated verification of electronic signatures Policy elements include: Limitations on the types of transactions for which esig will be used Rules relating to trust infrastructure and required esig attributes RFC 3125 appropriate for digital signatures but concepts more generally applicable
Anticipate Dispute Resolution Process UETA provides guidance for the resolution of esig disputes Uniform Electronic Transaction Act Model codes Allows trading partners to choose method of implementing esig esig dispute resolution Generally requires showing of the efficacy of any security procedure applied to determine the person to which the electronic record or electronic signature was attributable. Risk analysis helps calibrate the design and operation of esig system Value of transaction, costs or recovery, litigation, etc Provide cost basis for esig controls
esig Overview ~ Basic Questions Why electronic signature? Where can electronic signatures be used? Regulatory and legal analysis How electronic signatures can best be created and maintained? Signature related risks and mitigation Precursors to Implementation Technology of electronic signature Speculating about HIPAA Case Studies Business Case Planning
Caveat Product Limitation Many EMR products lack significant abstraction of esig components Implementation flexibility limited to configuration options of vendor products Typically such products only support minimum esig practices as typified in JACHO IM standards / hospital licensing rules Implementer tasks focused primarily on establishing policy and supporting administration infrastructure
esig Design Components Signer identification and authentication Authentication can occur at any time, before or after signature act Signer authentication typically implies user registration and/or user database Signature capture Record the intention of the signer Examples: User s key stroke response to windows prompt; biometric capture; sound recording; digital signature computation Intention may be easily disputed with ephemeral electronic UI, need support of a business & legal infrastructure Validation with signer community Record retention Must be in a form that ensures accurate reproduction
Important non-functional aspects Is any confidential information required to construct signature unique to signer Affects non-repudiation Is confidential information required to verify signature? Does the signature verifier need knowledge of confidential information? Such as PIN, biometric template or other Determines whether signature is independently verifiable How is the signature represented as data? Is the representation independent of the application that created the signature Determines whether the signature is transportable How is the integrity of the signature maintained? Does integrity depend on the continuous enforcement of application, system and business controls? Determines the long term persistence of signature, affects nonrepudiation
Signature properties and use esig properties are important for different record purposes Compliance: uniqueness; non-reputability (proforma) Requirements typically set by regulation; typically requires some signer attestation of responsibility Reimbursement: independent verifiability; transportability There has to be something to send payer; payer would not normally interact with the provider system that collected the signature Liability defense: persistence, non-reputability Liability disputes may occur long after signature act. Signature disputes will be resolved by challenging the reliability of the application creating the signature. Burden of proof typically will fall onto the application owner. Business Contract: uniqueness, non-reputability
Some esig Technologies Simple Sign Computer Code Entry Digitized Signature Digital Signature
Simple Sign E-SIGN recognizes very simple schemes for esig Pressing button labeled ok or sign Some basis to determine signer s identity User identity provided by context, such as CURRENT_USER or information on completed form Advantages No explicit requirement for security / authentication infrastructure Rapid completion of online transactions, especially with persons for whom there is not an ongoing business relationship Health plan enrollment where signature is needed to authorize request for medical records Disadvantages Not particularly useful for general healthcare purposes where signer authentication is required HIPAA s appropriate safeguards
Issues May be easy to repudiate Impersonation may be easy However, signer s identity can be shown by any evidence What action is triggered by the executed record? Does that action allow subsequent identity corroboration? e.g., Funds transfer or check? Delivery of goods to signer s address? What proves intent of signer? What is potential for misinterpreting the UI? Especially when rendered by different browsers, e.g. type size issues. Must consider relevant consumer protection protections including ability to retain record / timely signature revocation Should weigh benefit of transaction completion against easy repudiation
Signature by Computer Code Entry Typical medical records practice Supported in major patient record / EOE systems Explicitly endorsed in existing hospital licensing reg. of many states; JCAHO IM standards Three components to method Person s attestation of code ownership, promise of exclusive use, and acceptance of responsibility for any use Person s entry of code to indicate signature intent System of technical security controls to prevent record modification subsequent to signing Advantages Simple to implement in secure record systems Easily implemented over network
Issues There is no explicit representation of the signature. Signature is only implicit in the execution of the system s business rules. If the record contains the entry, then it must have been signed because that is the way the system is built Controls to ensure record /signature integrity are crucial to nonreputability Issuance and management of computer codes Record locking Splitting of administrator roles and oversight Practitioner usability Scheme be generalized to include alternate user action / authentication Thumbprint; SecureID; Invoking CCOW authentication_action_agent Beware use of shared (with staff) access codes
Use Compliance By definition, the scheme provides the internal controls currently favored by regulators and JCAHO Reimbursement Scheme does not provide a signature representation to transmit to payer. Acceptance of records as authentic depends on payer s goodwill and trust in signature on file schemes Liability Defense Signature easily repudiated following the plausibility of a failure of any control. Contract Accompanying attestation provides explicit basis for UETA required agreement to be bound
Digitized Signature The handwritten signature is captured on an electronic key pad -- first derivative of a wet signature Pad creates digitized image Advanced technology may capture signature dynamics Measure supposedly biometric invariants of handwriting including speed, acceleration, sequential stroke patterns May provide some additional level of signer authentication Attach to electronic record Intuitive use of familiar practice Require specialized hardware to capture handwriting which limits deployment Some support with PDA and Tablet PC
Issues How is the signature bound to the signed record? Require additional controls to ensure that record is not modified subsequent to signature How easily can signature be repudiated? Once captured, little prevents attaching digitized signature to subsequent documents without signer s knowledge or approval I signed a record but not this record How do you demonstrate original use of signature and not reuse of earlier representation? Methodology may lack independent verifiability Open standards lacking for signature digitization and signature dynamics impeding vendor neutral implementation Dependence on proprietary verification server / software
Use Compliance Dependent on controls to ensure that digitized signature was created at time of purported signature (original use) or treat as signature stamp and follow applicable rules Reimbursement Scheme does provide a signature representation to transmit to payer. Liability Defense Signature easily repudiated following the plausibility of a failure of controls over reuse. Contract Supported by common use of handwritten signature
Digital Signature deserves special attention Most secure signature technology Cyrptograhically binds signer s signature key to fingerprint (hash) of the record Digital signature is sensitive to any record modification Virtually no potential for impersonation Persistent and transportable signature representation Presumptive validity in some states (under special conditions) e.g, Illinois secure electronic signature, UT, WA Good standards support for technical interoperability FIPS 186-2, ANSI X9.62, ANSI x9.32, W3C xml-dsig, X12.58 DICOM Profiling / ASTM e2084 healthcare standard Multiple industry recommendations HIPAA Security and Electronic Signature NPRM; HISB Joint SDO Signature Study; DEA Rules for electronic prescriptions
How Digital Signature Works Asymmetric (public key) cryptography involves 2 mathematically related keys Public key which is the inverse of the Private key Public key reverses the operation of the private key / vice versa Public key is needed to decrypt what is encrypted by related private key Fundamental tenet of public key cryptography Public key is uniquely determined by private key, but Knowledge on public key will not compromise secrecy of private key Public key bound to a named individual thru a public key certificate PKI provides policy and procedure to assure: the identity of the bound individual The bound individual possesses associated private key
Digital Signature Creation Document Apply Hash Function 4742 650B 20D5 BF03 3d2E 832A 2H3A 47BC 00B3 5FF7 Hash 20 31 2E 33 0D 25 E2 E3 CF D3 0D 0A 33 36 20 6F 62 6A 0D 3C 20 0D 2F 4C 69 6E 65 61 72 69 7A 65. Digital Signature Signer s Private key Encrypt
Digital Signature Validation 20 31 2E 33 0D 25 E2 E3 CF D3 0D 0A 33 36 20 6F 62 6A 0D 3C 20 0D 2F 4C 69 6E 65 61 72 69 7A 65. Digital Signature Decrypt Signer s Public key 4742 650B 20D5 BF03 3d2E 832A 2H3A 47BC 00B3 5FF7 Hash Compare Document Apply Hash Function 4742 650B 20D5 BF03 3d2E 832A 2H3A 47BC 00B3 5FF7 Hash
Issues Private key ownership Certificates identify key pair ownership Traditional role assigned to PKI Certificates are standardized public documents, but must be trusted to be useful Private Key Protection Exposure of private signature key compromises the authenticity of an electronic signature Merely requiring the signer to protect the private key may be inadequate Does the individual understand how to do so? What is the appropriate level of protection? Sophisticated attacks against private keys stored in software, especially in windows key store
Issues Implementation complexity w/o high level toolkit, requires specialized developer skills Requires some sort of PKI deployment to signers PKI requires ongoing management Mitigated by new enterprise PKI management models AR CoSign Signature Appliance Window 2000+ Certs managed as part of system and network administration Performance Digital signatures are computationally complex Potential unsatisfactory performance on mobile devices Speed an issue with busy practitioners Bandwidth for transmission and storage 1.5-2k bits per signature at a minimum; more depending on enveloping technology
Issues Sensitive to any change in signed record Storage, communication and display must be bit preserving May be too strong for many document types Lossy transmission and storage of high bandwidth documents, e.g. radiological images For digital signature, every bit is important Potential solutions thru use of canonical document representation Corollary: Lack of abstraction Increased abstraction as electronic health records become distributed Model view controller design philosophy separating presentation from data Focus on authenticating data, not a particular presentation of it But digital signatures defined over concrete representation of data
Digital Signature Use Compliance Signature uniqueness guaranteed by uniqueness of signer s private key; attestation from the cert subscriber agreement Reimbursement Provider institutions can readily transmit signature to payers; payers can readily verify practitioner's signature Liability defense Properly constructed digital signatures can only be repudiated by admission of signer failure to adequately protect private key Contracting Certificate subscriber agreement usually includes a declaration of the key holder s intent to be bound by associated digital signatures
Digital Signature Representations Standards based procedure to represent or envelop the digital signature Envelop contains all information needed by 3rd party to verify signer identity and message authenticity, and to properly determine the signer s intention PKCS#7 (Public Key Cryptography Standards) Defines format for signature data structure using ASN.1 PKCS#7 makes use of Basic Encoding Rules XML-DSIG Defines XML template for digital signature representation DICOM Digital Signature Profile X12.58 EDI standard for encrypting, signing, and compressing the data within an X12 transaction
Some Digital Signature Tools Microsoft VB level developer toolkit, CAPICOM Create digital signature with 2 lines of code Digital signature built into Office 2000 and successors Digitally sign any Office document Options Security Digital Signatures Cumbersome for end users, need to develop macro for general use Use certificates in IE s key store Adobe Digital signature built into Acrobat (full and Reader 6+) Creates signature keys as needed (self-sign) or use others with plug-in Supports optional specification of signature purpose OpenSSL Provides functions for basic certificate and signing operations
Microsoft support for digital signature Demo
esig Overview ~ Basic Questions Why electronic signature? Where can electronic signatures be used? Regulatory and legal analysis How electronic signatures can best be created and maintained? Signature related risks and mitigation Precursors to Implementation Technology of electronic signature Speculating about HIPAA Case Studies Business Case Planning
HIPAA Electronic Signature Standard 1996 HIPAA Law called for HHS to promulgate standard for transmission and verification of electronic signature related to HIPAA reimbursement transactions 1998 NPRM proposed that standard should involve digital signatures Limited use case for esig and reimbursement transactions Claims are not signed Attached information typically is signed Industry may be satisfied with signature on file approach Signature critical to Certifications of Medical Necessity e.g. Medicare DME and dialysis certifications Signature transmission is not included in current HL7/ X12 approach to claim attachments If the use case for the attachment potentially involves verification of a signature, the work group has defined not an attachment HL7 does not support transmission of actual signature, instead only the assertion that a particular person signed document
HIPAA Electronic Signature Standard HHS current view is to promulgate only standards that have already been widely adopted by the industry Implies that there will be NO HIPAA esig standard Mandate to use an attachment standard which defines away any requirement for signature transmission Must accept provisions will prevent plan request / requirement for other info /paper to authenticate electronic signature Therefore no opportunity for industry to widely adopt standard procedure Are Medicare Certifications of Medical Necessity health claim attachments? Include patient info transmitted from provider to payer in support of a claim How will Medicare support electronic transmission of electronic signature for Certifications as required to do by Government Paperwork Elimination Act? Medicare so emphasizes original signature that in some cases intermediaries requires blue ink
Medicare Certifications of Medical Necessity DMERC 484.2 Certification submitted by supplier of medical equipment (e.g. portable oxygen) but signed by practitioner includes various lab results; clinical evaluation / notes
HCFA 2728
HIPAA Electronic Signature Standard Transportability and independent verifiability properties are critical Signature versus mere Assertion about authorship / approval Assertion sufficient in high trust environments Does this apply to healthcare reimbursement transactions? Digital signatures are transportable and independently verifiable Potential to authenticate attached medical records without having to rely upon trust in EDI submitter For extended analysis, see http://www.tunitas.com/presentations/hipaaesigrule.zip Next NCVHS testimony on electronic signature scheduled for March 2005 Considered as part of E-Prescribing recommendation mandated by Medicare reform act.
esig Overview ~ Basic Questions Why electronic signature? Where can electronic signatures be used? Regulatory and legal analysis How electronic signatures can best be created and maintained? Signature related risks and mitigation Role of esig Policy Technology of electronic signature Speculating about HIPAA Case Studies Business Case Planning
OnLine Health Plan Enrollment Blue Cross of California By checking boxes and entering my name below I am indicating my intent to electronically sign this application and warrant that all the information I have provided is true, complete and accurate Includes checkbox to authorize medical records release Provides basis for termination should application be untrue or incomplete Method supported by Blue Cross business calculation Economic benefit of simplified transaction completion Meet HIPAA and CA authorization and receipt of notice requirements Repudiation unlikely, minimal downside to repudiation Costs in processing application Little potential harm to impersonated applicant. At worst, rejected for a health policy that did not apply for (?).
EMR / EOE Signature EMR / EOE signature technology choices are largely limited to a vendor s configuration options. Vendor typically implements practitioner signature thru familiar signature by computer code mechanism Vendor specific schemes to ensure integrity of signature Some very weak schemes leverage platform capability but may not satisfy security requirements E.g. for records stored as MSFT Office documents, use merely Tools Options Security Password to modify Anyone with password can modify, so record not locked at time of signature E.g. setting files as Read Only Administrator override
EMR / EOE Signature (cont) Vendor liability concerns What are the consequences (to vendor) should there be a failure in the controls that ensure the integrity of signed records / orders Will apply the system s digital signature to a record once signed by practitioner Ensures long term persistence of the (practitioner) signature Requires special controls over the invocation of system s signature key Prevent removal or invocation contrary to application policy Transparent to end users
Electronic Prescription of Narcotic Current DEA Rules require pharmacist to verify original signature of prescribing physician before dispensing drug Compelling government interest in ensuring the authenticity of and accountability for narcotic prescription Forthcoming rule will allow electronic prescription of narcotic if Prescription is digitally signed Signer s certificate from DEA approved CA Must reference / comply with DEA certificate policy Contemporaneous status check of certificate validity Special protection requirements for (private) signature key Biometric authentication of signer (physician) before key invocation!!! Embed key in hardware module DEA seeks to minimize false assertion risk reasonable implementation costs to be borne by regulated (organized medicine) sector
Patient Consent Large care provider capturing patient consents electronically Capture patient s digitized signature using a variety of vendor signature pad products and tablet PC Consent record includes the digital signature of person obtaining the patient s consent (clinician, ADT clerk, etc) Digital signature computed over document with attached patient signature Provides a standards based method to ensure long term integrity of consent record Avoid dependence on a variety of heterogeneous vendor solutions
Continuity of Care Record Continuity of Care Record (CCR) is an electronic record designed to track care given by a succession of providers E.g., an Electronic record provided by practitioner to hospital and subsequently to SNF What sort of electronic signature will assure authenticity of CCR entries? Is source authentication sufficient? Is it transitive? Can SNF rely upon hospital s assertion that practitioner authenticates practitioner's CCR entries? Are there limits to this transitivity? Does the CCR requires a signature which is persistent, transportable and independently verifiable? Does it require a digital signature? If so, then xml_dsig is natural choice for esig representation.
esig Overview ~ Basic Questions Why electronic signature? Where can electronic signatures be used? Regulatory and legal analysis How electronic signatures can best be created and maintained? Signature related risks and mitigation Role of esig Policy Technology of electronic signature Speculating about HIPAA Case Studies Business Case Planning
Building the Case Business Justifications Identification of specific process targets Identify success measures and set parameters Relate target objectives to specific signature properties Signature Method Select a signature technology with the appropriate properties Consider process improvement or workflow integration potential Measure success factors in pilot project
Cost Minimization Typically, esig costs are borne by the application creating the electronic record Vendor solution administered as part of the application Total costs may be minimized by centralizing some esig functions Authentication costs are reduced reuse credentials across applications, simplified admin with greater enterprise control Risk is reduced thru enterprise (rather than department) management and vetting of esignature scheme Possible sharing of software components / signature capability e.g. CCOW signature action agent which allows CCOW compliant clinical applications to share common esignature capability e.g. AR s signature appliance
Forecasting the Benefit Types of return from esig initiatives Increased compliance More efficient process management Reduced document costs Greater transaction completion Need metrics to quantify achievable benefit
Increased Compliance Measurements Percent verbal orders meeting the 48 hr rule Reduction in FTE performing signature chase Reduction in redundant signature activity Reduction in time to locate and pull records
More Efficient Process Measurements Time to complete process Time to retrieve documents Percent of incomplete process after different periods Customer satisfaction User / staff satisfaction Increase in quality of management reports
Reduced Document Cost Measurements Cost of paper Printing and delivery Filing expense Reproduction -- for archive and reimbursement Re-allocated labor dollars
Greater Transaction Completion Measurements Percentage transactions initialized but never completed Revenue loss associated with incomplete transactions Costs associated with tracking and follow-up Increase in total transactions
Addendum Resources Digital Signature Representation Formats Discussion regarding construction and use of the available standard formats for digital signatures
Resources Healthcare Electronic Signature Best Practice ASTM e1762-95 (fee). Free draft of e1762 update by request to bpankey@tunitas.com AHIMA Practice Brief Implementing Electronic Signatures http://www.ahima.org and then use search engine FDA CFR 21 Part 11 http://www.fda.gov/ora/compliance_ref/part11/ Legal / Regulatory American Health Lawyers (www.ahla.org) Health Information and Technology Practice Guide (fee) HIT mailing list State Codes Link page: http://www.edfoundation.org/electronicsignaturepolicy.htm Developer / Standards Related PKIX WG http://www.imc.org/ietf-pkix/index.html xml_dsig WG http://www.w3.org/signature CAPICOM list: http://discuss.microsoft.com/archives/capicom.html OpenSource: http://www.openssl.org
Digital Signature Representation ~PKCS#7 A data structure for encoding a digital signature DER ( distinguished encoding rules )- 1st published 1993 Assumes only that the system can process an octet string A PKCS#7 structure includes: Version and algorithm information Digital signature and manifest (optional) Signer s X.509 certificate chain and contemporaneous CRL Signer information (optional) including: signing date, signature purpose ASTM E2084 standardizes healthcare specific signature attributes Most commonly used digital signature representation Many programmer tools (e.g. RSA, Baltimore, Microsoft)
Digital Signature Representation ~ XML-Dsig W3C recommendation for XML representation of digital signature - adopted Feb, 2002 Important component of web services security Generalizes PKCS#7 concepts Defines a canonical form for document over which digital signature is computed Optional representations of public key ownership X509, PGP, SPKI, or directly exchanged key Extensible Supports a number of SignerProperties and other structure using standard XML namespace mechanisms Readily available programming Tools available Good fit with ASTM CCR and HL7 CDA standards
DICOM Digital Signature Profile Intended to standardize definition of digital signature over radiological images Defines Different signer roles and signature purposes Attributes included in the digital signature Algorithms used in generating digital signature Creates two distinct secure use profiles bit preserving digital signature use Conventional understanding and use of digital signature basic digital signature use Validation of incoming digital signature Allows transformation / compression of validated incoming data object so long as it is stored in such a way that the object is guarded against any unauthorized tampering Forwarding of the transformed data object, with digital signature defined over previously verified objects For more info, see http://medical.nema.org/dicom/2003/03_15pu.pdf
X12.58 Defines internal X12 control structures for source authentication and message integrity Supports digital signature of transaction set or function grouping of transaction sets Implementation Requires that EDI application be crypto aware More difficult to implement than options, such as s/mime, that are external to X12 message security Rarely implemented, but status may change Federal Implementation Guidelines for EDI --NIST, July 2001 The federal government is committed to providing security services for ASC X12 compliant EDI via the constructs provided by ASC X12.58. Will X12.58 be the HIPAA Final Security Standard?